Marco Colombo wrote:
What field is that, exaclty? v3 extension?
I'm not sure... it's in the OpenSSL headers files as "NID_pkcs9_emailAddress".
Anyway, the goal of authentication is to identify users not email addresses. The whole idea of using certs is broken, unless you use the cert itself. No CA makes any attempt to provide _unique_ information. And the uniqueness of an email address it pretty weak. The only unique info you can extract from a cert is the public key, which is what you're actually using to identify the remote party.
I agree, but in this case the email address _is_ the user name.
Of course, if your server trust only _one_ CA, and you have control on how that CA works, you can use certs safely. You can make sure CN data (or any data) is unique.
Exactly, that's the only scenario where this is viable. When I document this for people to use, I'll make that perfectly clear: if you configure your system to accept _any_ client certificate, you are not doing yourself any good. This method _only_ works when you are administering the CA yourself and have complete control over the contents of the certs and who has access to them. Granted, I could also just make the CN in the cert be the user's email address, but I'd rather leave it as their full name (it's much nicer in Horde that way, plus we also use it for Trac).
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
